Replies

We use a non-routable vlan for our native vlan in our data centres. This vlan should never have any physical ports assigned to it.

You are still open to some attacks though. 802.1q needs the concept of a native vlan for compatability so if you can't clear it off the trunks the next best thing is to do as above, ie a non-routable unused vlan.

Attached is a link to vlan security by Cisco which covers this in more details.